Dashboards & Visualizations

Schedule Search Result Retention With in Dashboard

EStallcup
Path Finder

For every scheduled search I have that runs in intervals greater than every 24 hours, my dashboards will not use the results of the last run, but instead will run the search inline. I am setting the useHistory parameter to auto, such that it will use the results of the last run, or run it inline if it can't find them. The problem is, it can never find them.

I know the TTL you specify in your saved_searches.conf file is the go-to place for configuring this setting. Mine is currently set to 2p, which as I understand, means the results of each one will be set to two times the length of the interval between each search (e.g. - the results for a scheduled search set to run every MONTH will live on the server for 2 months). Also, I am unclear as to whether this interval also applies to scheduled searches that implement CRON scheduling (instead of the basic start time & end time settings available when you set-up or modify a saved search's settings in the manager UI).

However, I can literally NEVER get these to load by default in my view without the view first having to re-run the search in its entirety.

Before posting, please keep in mind:

(1) Yes, I have the name of the scheduled spelled correctly in my view (otherwise, I'm pretty sure you'd get an error)

(2) I am not trying to run a saved search from the search bar and use 'Actions' > 'Save'. This search runs automatically and I'm trying to incorporate its results into my View and create a graphical representation of them.

Any help / feedback is much appreciated! I've been trying to overcome this issue for a while now.

1 Solution

EStallcup
Path Finder

The reason this was happening was because I set the scheduled search up to alert every time in completes, in which case, its TTL is that of the alert and not that which you specify for saved searches in SavedSearches.conf.

Lesson Learned.

View solution in original post

EStallcup
Path Finder

The reason this was happening was because I set the scheduled search up to alert every time in completes, in which case, its TTL is that of the alert and not that which you specify for saved searches in SavedSearches.conf.

Lesson Learned.

the_wolverine
Champion

Then what do you set it up to do if you do NOT set it to alert every time? As far as I can tell (in version 5), there is no setting to tell Splunk this is not an alert. The alert condition and mode is automatically set for any scheduled search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...